Imagine this… first day of your first corporate job. Within an hour of arriving you are sitting in a meeting room listening to a group of people discussing something very important in great detail and you don’t have a clue what they are on about. There are ‘pdis’,’inits’, ‘poes’, ‘cob’ and that’s before you look at systems ‘db2’, ‘sap’, ‘jde’, ‘pptx’ and ‘cfgs’. Its like you are on holidays but not the good kind. The kind where you are in a strange country where you don’t know the language so you pick Bambi hearts served rare off the menu because you see the word for venison and think you have just ordered a juicy steak.
You walk out of the meeting thinking you have made an enormous mistake and you are completely out of your depth. The thing is every company you will work in has their own secret language it might be a system or a corporate standard.
Splunk is no different.
pivots? indexes? search heads? forwarders? buckets? data models? cluster? and slaves?
Pretty sure your Oxford dictionary won’t help here. So the smart play is to head over to the Splunk Website and start searching their product dictionary. Only one problem when Splunk says
A hierarchically structured, search-time mapping of semantic knowledge about one or more datasets that encode the domain knowledge necessary to generate specialized searches of those datasets. Splunk Enterprise uses these specialized searches to generate reports and charts for pivot users.Splunk Splexicon
this is their definition for the term Data Model. English it may be but meaningful it certainly isn’t to the uninitiated.
So stick with me over the following weeks as I put together a Splunk Glossary to describe many of these terms in plain English so that even the non-techos will understand… Whilst I love Splunk I just think that a few English translations will go a long way.
If your a diehard techo knock yourself out with the Splunk Splexicon guide
Splunk Glossary
Buckets move through stages as they age. The buckets start as “Hot” and move to “Frozen”;
HOT – most recent data
WARM – hot bucket move to warm when they reach the limit set in the ‘maxDataSize’ or they are older than the ‘maxHotSpanSecs’
COLD – move to cold once the ‘maxWarmDBCount ‘is reached
FROZEN – once the ‘maxTotalDataSizeMB’ is reached if a coldToFrozenScript’ is setup otherwise the bucket is deleted
THAWED – Frozen buckets can be thawed manually
FISHBUCKET – see below
Share this Post
10 Comments on “The Secret Language of Splunk”
Hello admin, i have to say you have very interesting content here.
Keep up posting !
Thanks Heather, Is there a topic that you would be interested in me writing about?
Hey There. I found your blog using msn. This is a very well written article. I will make sure to bookmark it and come back to read more of your useful info. Thanks for the post. I’ll definitely comeback.
Thanks James, hope it was useful.
I really can’t believe how great this site is. Keep up the good work. I’m going to tell all my friends about this place.
Howdy would you mind letting me know which web host you’re working with? I’ve loaded your blog in 3 completely different web browsers and I must say this blog loads a lot faster then most. Can you recommend a good web hosting provider at a reasonable price? Thanks a lot, I appreciate it!
I host through bluehost
Aw, this was an incredibly good post. Spending
some time and actual effort to create a very good article… but what can I say…
I procrastinate a lot and don’t seem to get nearly anything done.
This piece of writing is genuinely a pleasant one it helps new web people, who are wishing in favor of blogging.
Oh my goodness! Awesome article dude! Thanks, However
I am having difficulties with your RSS. I don’t know the
reason why I cannot join it. Is there anyone else
getting similar RSS issues? Anyone that knows the solution can you kindly
respond? Thanks!!